Employers
HHS Signals Continued Focus on Health Plan Privacy and Cybersecurity
Privacy and security are enforcement priorities for government regulators following HHS's restructuring of its Office for Civil Rights.
HR Compliance
HHS Releases Updated HIPAA Security Rule Guidance Materials
HHS confirms that HIPAA compliance is not a one-time exercise, but an ongoing process that requires organizations to continuously assess, manage, and reduce security risks.
The U.S. Department of Health and Human Services (“HHS”), through its Office for Civil Rights (“OCR”), recently released updated HIPAA Security Rule guidance materials designed to help covered entities and business associates strengthen their protection of electronic protected health information (“ePHI”). The updated materials reinforce that HIPAA compliance is not a one-time exercise, but an ongoing process that requires organizations to continuously assess, manage, and reduce security risks.
OCR emphasized that organizations must maintain risk management practices that actively reduce vulnerabilities to ePHI to a “reasonable and appropriate” level. The guidance also highlights increasing regulatory scrutiny over whether organizations are implementing risk management strategies based on real-world threats rather than relying solely on outdated or generic security measures.
The updated materials include educational resources covering:
- Risk management and risk analysis requirements under the HIPAA Security Rule
- Common OCR investigation findings involving potential Security Rule violations
- Cybersecurity and ransomware guidance
- Remote access and mobile device security
- Recognized security practices under the HITECH Act
- Resources from the National Institute of Standards and Technology (“NIST”)
OCR also noted that organizations demonstrating implementation of recognized security practices, such as NIST-based frameworks, for at least the prior 12 months may receive favorable consideration during enforcement actions or audits.
For HR and benefits teams, the guidance serves as an important reminder that safeguarding employee health information requires continuous monitoring, documented security procedures, workforce training, and periodic reassessment of evolving cyber risks. Employers working with vendors, TPAs, brokers, and technology providers should also review whether appropriate security safeguards and contractual protections are in place for the handling of ePHI.
The updated guidance materials and educational resources are available from HHS OCR.
Benefit Allocation Systems (BAS) provides online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 integrates with major insurance carriers for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and others), and with leading payroll platforms for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and others).
This article is for informational purposes only and is not intended as legal, tax, or benefits advice. Readers should not rely on this information for taking (or not taking) any action relating to employment, compliance, or benefits. Always consult with a qualified professional before making decisions based on this content.
Topics
HR Compliance
Hiring Young Workers This Summer
Hiring workers under age 18 requires additional compliance responsibilities under the Fair Labor Standards Act's child labor provisions.
HR Compliance
What Federal Eligibility Verification Rules Can Teach Private Employers
A new OPM rule on federal health plan eligibility verification offers practical lessons for private employers managing dependent audits and qualifying life event documentation.